Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can TPE work with Docker containers? #32

Open
morfikov opened this issue Feb 24, 2019 · 2 comments
Open

Can TPE work with Docker containers? #32

morfikov opened this issue Feb 24, 2019 · 2 comments

Comments

@morfikov
Copy link

morfikov commented Feb 24, 2019
edited
Loading

When I start some docker containers I get the following log:

kernel: tpe: Denied untrusted exec of /usr/local/bin/docker-entrypoint.sh (uid:999) by /usr/local/bin/gosu (uid:999), parents: /usr/bin/containerd-shim (uid:0), /usr/bin/containerd (uid:0), /lib/systemd/systemd (uid:0). Deny reason: file is writable
kernel: tpe: If this exec was legitimate and you cannot correct the behavior, an exception can be made to allow this by running; setfattr -n security.tpe -v "soften_exec:soften_mmap" /usr/local/bin/docker-entrypoint.sh. To silence this message, run; sysctl tpe.log_verbose = 0

It says, that /usr/local/bin/docker-entrypoint.sh is untrusted , but I don't have this file in my system:

#  ls -al /usr/local/bin/docker-entrypoint.sh
ls: cannot access '/usr/local/bin/docker-entrypoint.sh': No such file or directory
#  ls -ald /usr/local/bin
drwxr-xr-x 2 root root 4096 2019-02-21 20:06:32 /usr/local/bin/

The file in question is inside of the container:

root@mariadb:/# ls -al /usr/local/bin/*
-rwxrwxr-x 1 root root    5816 Jan  8 23:47 /usr/local/bin/docker-entrypoint.sh
-rwxr-xr-x 1 root root 1286720 May 24  2017 /usr/local/bin/gosu

I tried to add the execs to tpe.trusted_apps , but that doesn't work. So how to handle such case like docker?
@cormander
Copy link
Owner

This kernel module wasn't designed with filesystem name-spacing in mind, as it was started prior to docker becoming popular. You don't see /usr/local/bin/docker-entrypoint.sh on your filesystem, because that file exists within the namespace of the docker container.

As far as allowing execution of it -- the real fix should be to the container itself. Inside docker or not, proper filesystem owernship and permissions should always be done first. It's the group writable bit on this file that's causing the problem.

Now of course in the world of docker, you have a lot of images which don't conform to proper filesystem security & other things, because people are assuming the docker does sandboxing well enough. In short, you're going to have a lot of problem running docker containers that you didn't craft yourself.

The easiest workaround I can think of is to add an option to disable checking for execution outside of the root namespace (ie; inside docker containers) to prevent collisions between TPE and running docker containers. The containers won't get the TPE protection, but the host still will.

Does that sound like an acceptable solution to you?

@morfikov
Copy link
Author

I think it should be.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cormander @morfikov